Follow

Mastodon cannot be securely used with Tor since it cannot run as a native hidden service. If you do not use mastodon with a hosted vpn (such as mullvad) then both the server and @nvk can log your IP address. The server is a honeypot of personal info on bitcoiners including DMs. Be aware!

@mattodell so, were do I see who is running this server?

@Polacci @mattodell lol I'm sure he would laugh at that, sure he's jack now

@mattodell @nvk would mastodon be interested in serving the community to fix this? We are homeless

@mattodell

Sorry I don't entirely get it. If I log in to Mastodon through Tor, the server I'm logging into is still able to see my IP?

@Raindogdance no, but since it isn't a native hidden service you are vulnerable to man in the middle attacks by the exit node you use

@mattodell @nvk
it's definitely possible to allow users to connect to the mastodon site through an onion service, for example i have x0f.org available at bvrgrzu5awjacohape5s6s3j2loclt

@orionwl @mattodell @nvk also, that the server holds DMs is presumably orthogonal to this. E2E encryption would be nice, requiring key infrastructure though. I treat DMs here as quasi-public, but I also do that for other platforms.

@waxwing @mattodell @nvk
right i wouldn't hold my breath for mastodon supporting E2E encryption; i'm not sure it's even good if every software develops its own E2E encrypted private communication because spreads out cryptography review so much
it's a publication protocol mainly

FWIW x0f also runs a matrix server, a chat protocol that supports E2E (even for group chats), if you're on this server and interested in an account let me know

@orionwl @waxwing @mattodell @nvk I wouldn't be surprised if the Mastodon devs actually think E2E encryption on chats would be a negative. Mastodon is designed around a community model, with moderation, in a context of being worried about abuse and toxic behavior. If that's your design goal, is E2E encryption on DM's actually a feature you want? _I_ would say yes. But I can imagine those devs saying no.

@pete @orionwl @waxwing @mattodell @nvk

Don't know about mastodon, but the pleroma dev (@lain) actually wrote an interesting and complete article about E2EE on the fediverse and in for instant messaging in general

blog.soykaf.com/post/encryptio

@mattodell
If you think your *instance* (not Mastodon) admin's goal is to rob you, maybe you're on the wrong instance?
If your thread model is as 'paranoid' as you seem to indicate, Mastodon has a solution for that (too): run your own instance.

I assume that you've also informed all your followers on birdsite that the minimum wage earning employees of Twitter have access to a wealth of personal info. But in this case, there is no remedy.
Be aware!

(also, don't trust VPN providers)

@FreePietje @mattodell VPN are honeypots, but at least it decouples metadata from your account (assuming no mitm). And better for people to be aware of the risks and make the tradeoff for themselves, explicitly and informed, than implicitly and uninformed.

@kekcoin @mattodell
I fully agree.
But I found that the tradeoffs weren't made clear, that's why I felt the need/urge to 'rile' against it a bit.

VPN are often presented as some magical privacy and security solution, which they are not. If you're aware of the risks and tradeoffs, you surely can use them.
When all (your) Tor exit nodes are compromised, then the most likely scenario is that the NSA is after you. If you're not Elliot Alderson, that *very* likely means game over.

@mattodell @nvk Pretty sure Mastodon can be run behind a Tor onion. It even has a setting for whether or not it a clearnet Mastodon should federate over Tor.

@mattodell @pete @nvk

@nvk - It would be great if we could access bitcoinhackers.org through an onion address. Late christmas gift!

@MrHodl @nvk I was mistaken, it can be run as a hidden service, we need nvk to enable it (or run our own instance that does)

@mattodell @nvk lucky no one has dm’d me in the 3 years I’ve been using this platform lol 😭

@Brittkelly @mattodell @nvk just logged in after 2 years. I feel less alone now 🤣

@mattodell @nvk

isnt twitter a much bigger honey pot of personal info on bitcoiners rn?

@mattodell @nvk Agreet, was hoping to use bitcoinhackers as my main mastodon instance, now using podcastindex.social (great service), which allows for Tor access.
Saying MASTODON cannot be accessed through Tor is a bit unfair.

@mattodell @nvk in which way are native Tor hidden service more secure for the user vs a standard website? The exit node in both cases knows a long-lived web address (either .onion or .org). Doesn't just prevent the leaking the IP of the server?

Sign in to participate in the conversation
Bitcoin Mastodon

Bitcoin Maston Instance